Check out the new USENIX Web site. next up previous
Next: Stage 2 Up: Encrypted Payload Protocol Previous: Architecture

Stage 1

Figure 1: Stage 1 Payload Pseudocode
\begin{figure}\begin{verbatim}DecodePayload() b = Random() mod p y = g^b mod p... ...code) result = Execute(code) Send(conn, result) End\end{verbatim} \end{figure}

The Stage 1 payload is the machine code component included in the exploit delivered to the target's web browser or local application. Many injection vectors have limited space available for payload code, so the primary purpose of the Stage 1 payload is to establish communication with a server controlled by the penetration tester in order to download a subsequent stage payload that is free of code size constraints. The payload may be wrapped in a polymorphic decoder in order to evade intrusion detection and eliminate interpreted byte values from the exploit buffer.

The payload includes an ElGamal public key for the payload server (generator $ g$ , prime modulus $ p$ , public value $ x = g^{a} \mod p$ , where $ a$ is the secret exponent). The payload proceeds to complete the ElGamal key agreement protocol and compute a session key for use in communicating with the payload delivery server. The payload generates a random number $ b$ using an operating-system provided secure random facility. On Windows, RtlGenRandom from ADVAPI32.DLL can be used to easily generate secure random bytes. Similarly, on Linux or other Unix-like operating systems /dev/urandom can be read for secure random bytes. The payload then computes $ y = g^{b} \mod p$ using the generator $ g$ and prime modulus $ p$ from the server's public key. The payload also computes the session key $ k = x^b = (g^a)^b = g^{ab}$ . Since $ g$ is a generator over $ \boldmath {Z}_{p}^{*}$ and $ b$ is cryptographically random, the computed session key will have sufficient entropy. The payload proceeds to send $ y$ to the payload server and further communication is encrypted using the session key $ k$ and the RC4 stream cipher. The initial 256 bytes of RC4 keystream are discarded[16] and separate RC4 keystreams are used for traffic in each direction in order to address weaknesses in RC4. In addition, a random initialization vector is used for each stream to prevent keystream reuse.

Finally, the Stage 1 payload enters a loop repeatedly downloading, decrypting, and executing code from the payload server.

next up previous
Next: Stage 2 Up: Encrypted Payload Protocol Previous: Architecture
Dino A. Dai Zovi 2007-07-31